b' DEPARTMENT OF HOMELAND SECURITY\n\n    Office of Inspector General\n\n\n   Improved Administration Can Enhance \n\n   Federal Emergency Management Agency \n\n         Laptop Computer Security \n\n                (Redacted) \n\n\n\n\n\n   The Department of Homeland Security, Office of Inspector General, has\n   redacted this report for public release. A review under the Freedom of\n   Information Act will be conducted upon request.\n\n\n\n\nOIG-07-50                                                          June 2007\n\x0c                                                                       Office of Inspector General\n                                                                       U.S. Department of\n                                                                       Homeland Security\n                                                                       Washington, DC 20528\n\n\n\n\n                                        June 5, 2007\n\n\n                                           Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment to\nthe Inspector General Act of 1978. This is one of a series of audit, inspection, and special\nreports prepared as part of our oversight responsibilities to promote economy, efficiency, and\neffectiveness within the department.\n\nThis report addresses the strengths and weaknesses of the Federal Emergency Management\nAgency (FEMA) laptop computer security controls. It is based on interviews with FEMA\nofficials, direct observations, technical tests, and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. It is our\nhope that this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                            Richard L. Skinner \n\n                                            Inspector General                                        \n\n\x0cTable of Contents/Abbreviations \n\n\n  Executive Summary .........................................................................................................................1 \n\n\n  Background ......................................................................................................................................3 \n\n\n  Results of Audit ...............................................................................................................................5 \n\n\n       Standard Configuration Will Enhance Laptop Security ............................................................5 \n\n       Recommendations......................................................................................................................9 \n\n       Management Comments And OIG Analysis ...........................................................................10 \n\n\n       Improved Patch Management Will Increase Security .............................................................10 \n\n       Recommendations....................................................................................................................14 \n\n       Management Comments And OIG Analysis ...........................................................................15 \n\n\n       Enhanced Inventory Management Is Needed For Property Accountability ............................15 \n\n       Recommendations....................................................................................................................19 \n\n       Management Comments And OIG Analysis ...........................................................................20 \n\n\n       FEMA Needs To Certify And Accredit Laptop Computers To Comply With FISMA........20 \n\n       Recommendations....................................................................................................................21 \n\n       Management Comments And OIG Analysis ...........................................................................22 \n\n\nAppendices\n  Appendix A:            Purpose, Scope, and Methodology .....................................................................                  23 \n\n  Appendix B:            Management Comments to the Draft Report .....................................................                          28 \n\n  Appendix C:            Major Contributors to this Report ......................................................................               31 \n\n  Appendix D:            Report Distribution.............................................................................................       32 \n\n\n\nAbbreviations\n  ATL                     Advanced Technology Laboratory \n\n  BIOS                    Basic Input Output System\n\n  CIO                     Chief Information Officer \n\n  CSIRC                   Computer Security Incident Response Center \n\n  DHS                     Department of Homeland Security \n\n  DISC                    Disaster Information Systems Clearinghouse \n\n  FEMA                    Federal Emergency Management Agency \n\n\n\n                            Improved Administration Can Enhance FEMA Laptop Computer Security\n\x0cTable of Contents/Abbreviations \n\n\n  FIPS    Federal Information Processing Standards\n  FISMA   Federal Information Security Management Act of 2002\n  IP      Internet Protocol\n  IT      Information Technology\n  LIMS    Logistics Information Management System\n  MERS    Mobile Emergency Response Support\n  NIST    National Institute of Standards and Technology\n  OIG     Office of Inspector General\n  SBU     Sensitive But Unclassified\n  SP      Special Publication\n  WSUS    Windows Server Update Services\n\n\n\n\n           Improved Administration Can Enhance FEMA Laptop Computer Security\n\x0cOIG \n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                We audited the Department of Homeland Security and its organizational\n                components\xe2\x80\x99 security program to evaluate the security and integrity of select\n                government-issued laptop computers. This report focuses on the Federal\n                Emergency Management Agency. Our objective was to determine whether the\n                Federal Emergency Management Agency has established and implemented\n                adequate and effective security policies and procedures related to the physical\n                security of and logical access to its government-issued laptop computers.\n\n                Significant work remains for the Federal Emergency Management Agency to\n                further strengthen the configuration, patch, and inventory management controls\n                necessary to protect its government-issued laptop computers. Specifically, the\n                Federal Emergency Management Agency has not established: (1) effective\n                processes to apply the domain security policy to its laptops that meets required\n                minimum-security settings; (2) effective procedures to patch laptop computers;\n                and (3) adequate laptop computer inventory management procedures. As a\n                result, sensitive information stored and processed on Federal Emergency\n                Management Agency laptop computers may not be protected properly. Further,\n                because the Federal Emergency Management Agency applies the same domain\n                security policies for its desktop computers, the configuration weaknesses\n                identified with laptop computers are relevant to all government-issued\n                computers assigned within the Federal Emergency Management Agency.\n                Finally, we were unable to evaluate the Federal Information Security\n                Management Act of 2002 requirements because the Federal Emergency\n                Management Agency had not accounted for its laptop computers as part of a\n                recognized information technology system.\n\n                To secure Federal Emergency Management Agency data stored on\n                government-issued laptop computers, we are making seven recommendations\n                to the Federal Emergency Management Agency Director. Our\n                recommendations focus on developing a standard configuration, remedying\n                existing vulnerabilities, patching and updating laptop computers, implementing\n                inventory management controls, and complying with Federal Information\n                Security Management Act requirements.\n\n                 Improved Administration Can Enhance FEMA Laptop Computer Security\n\n                                            Page 1\n\x0cIn response to our draft report, the Federal Emergency Management Agency\nconcurred with our recommendations. The Federal Emergency Management\nAgency\xe2\x80\x99s response is summarized and evaluated in the body of this report and\nincluded, in its entirety, as Appendix B.\n\n\n\n\nImproved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                             Page 2 \n\n\x0cBackground\n                         The Federal Emergency Management Agency (FEMA) leads the effort to\n                         prepare the nation for all hazards and manages federal response and recovery\n                         efforts following any national incident. FEMA employs over 2,600 full time\n                         employees and has approximately 4000 standby disaster assistance employees\n                         who are available for deployment after disasters. As part of the nation\xe2\x80\x99s\n                         emergency management system, FEMA partners with state and local\n                         emergency management agencies, 27 federal agencies, and the American Red\n                         Cross. To fulfill its mission, FEMA has over 32,000 laptop computers in its\n                         automated property management system.\n\n                         As the weight and price of laptops have decreased and their computing power\n                         and ease of use have increased, their popularity has grown among government\n                         employees. The Department of Homeland Security (DHS) relies heavily on\n                         laptop computers for conducting business. The mobility of laptops has\n                         increased the productivity of the workforce, but at the same time increased the\n                         risk of theft, unauthorized data disclosure, and virus infection. Thefts of laptop\n                         computers occur regularly from offices, airports, automobiles, and hotel rooms,\n                         and the incidence of laptop thefts is increasing.\n\n                         According to the DHS Computer Security Incident Response Center (CSIRC),\n                         16 security incidents involving stolen or missing DHS laptop computers were\n                         reported in 2006, including government-issued laptops from U.S Customs and\n                         Border Protection, United States Secret Service, U.S. Immigration and Customs\n                         Enforcement, Transportation Security Administration, and DHS Headquarters.\n                         Further, in September 2006, the Government Accountability Office and DHS\n                         Office of Inspector General (OIG), in a joint report to Congressional\n                         Committees, reported that the Federal Emergency Management Agency\n                         (FEMA) had more than 100 missing and presumed stolen laptop computers\n                         valued at $300,000.1\n\n                         Government organizations that provide for the use of laptop computers must\n                         take steps to ensure that the equipment and the information stored on them are\n                         properly protected. Such steps may include ensuring secure storage of laptop\n                         computers when they are not in use; encrypting data files stored on laptops;\n                         installing adequate security software applications such as firewalls and anti-\n                         virus software, disabling and controlling built-in wireless, Bluetooth, and\n\n1\n Control Weaknesses Leave DHS Highly Vulnerable to Fraudulent, Improper, and Abusive Activity, September 2006,\nGAO-06-1117.\n\n\n                         Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                                       Page 3 \n\n\x0cinfrared connection capabilities; and regularly updating operating system and\napplication software.\n\nDHS Sensitive Systems Policy Directive 4300A and DHS National Security\nSystems Policy Directive 4300B provide direction to DHS components\nregarding the management and protection of sensitive and classified systems,\nrespectively. In this report, we refer to DHS Sensitive Systems Policy\nDirective 4300A and DHS National Security Systems Policy Directive 4300B\ncollectively as \xe2\x80\x9cDHS policy.\xe2\x80\x9d\n\nThese policies outline the management, operational, and technical controls\nnecessary for ensuring confidentiality, integrity, availability, and authenticity\nwithin the DHS Information Technology (IT) infrastructure and operations.\nDHS policy requires that its components ensure that strong inventory\nmanagement, physical security, logical access, and wireless security controls\nare implemented for all systems processing sensitive or classified information.\nThe department developed the DHS 4300A Sensitive Systems Handbook and the\nDHS 4300B National Security Systems Handbook to provide specific\ntechniques and procedures for implementing the requirements of DHS policy.\nFurther, in May 2006, DHS published a series of secure baseline configuration\nguides for certain operating system and software applications, such as\nMicrosoft Windows.\n\nThe National Institute of Standards and Technology (NIST) has issued several\npublications related to laptop inventory management, physical security, logical\naccess, and wireless security controls. Specifically, NIST Special Publication\n(SP) 800-12, An Introduction to Computer Security: The NIST Handbook,\nprovides guidance for establishing adequate logical and physical access\ncontrols for sensitive government systems, including the use of strong\npasswords, encryption, and user administration practices. Further, NIST\nSP 800-46, Security for Telecommuting and Broadband Communications,\nprovides security guidelines for laptops used to remotely access government\nnetworks, including the use of anti-virus software, personal firewalls,\nencryption, and basic input output system (BIOS) passwords. BIOS is the\nsoftware code run by a computer when first powered on. The primary function\nof BIOS is to prepare the machine so other software programs stored on various\nmedia (such as hard drives, floppies, and CDs) can load, execute, and assume\ncontrol of the computer. This process is known as booting up.\n\n\n\n\nImproved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                             Page 4 \n\n\x0cResults of Audit\n         Standard Configuration Will Enhance Laptop Security\n                           FEMA does not have a secure standard configuration for its laptop computers.\n                           We evaluated whether FEMA established and followed adequate procedures to\n                           ensure that laptops were configured appropriately to protect sensitive data\n                           contained in its government-issued laptops. Also, we assessed the process used\n                           by FEMA to develop and apply a domain group policy2 that establishes the\n                           security settings that are applied to all computers connecting to its network.\n                           Finally, we tested a sample of 298 user-assigned, shared, loaner, and\n                           unassigned laptop computers to ensure that the configuration was in\n                           conformance with DHS and federal guidelines.3 These tests included:\n                                \xe2\x80\xa2 \t Automated vulnerability assessment scans and port scanning of\n                                    298 laptops to identify configuration weaknesses;\n                                \xe2\x80\xa2 \t Detailed technical testing for a subset of 65 laptops to confirm the\n                                    automated testing results and determine account, audit, access privilege,\n                                    and password parameter settings;\n                                \xe2\x80\xa2 \t Password strength analysis for a subset of 65 laptops to ensure that\n                                    strong passwords were used; and\n                                \xe2\x80\xa2 \t Manual reviews for a subset of 65 laptops to verify the presence and\n                                    configuration of installed software.\n\n                           We tested 298 laptop computers to determine whether FEMA had applied\n                           adequate logical access controls. FEMA\xe2\x80\x99s current process does not establish\n                           the required minimum security for laptop computers as directed by DHS.\n                           Because FEMA uses the same process to configure both its laptop and desktop\n                           computers, the configuration weaknesses are relevant to all FEMA\n                           government-issued computers. As a result of the security issues identified,\n                           sensitive data may not be properly protected.\n\n                           Because of its diverse mission, FEMA has developed multiple standard images\n                           based on DHS guidelines and industry best practices, as well as requirements\n                           established in DHS policy. FEMA has developed eight standard images for\n\n2\n  Group policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set\n\nof targeted users and computers within an Active Directory environment. \n\n3\n  An image contains a group of programs to be duplicated verbatim onto other computers. It typically contains the \n\noperating system and a selected set of applications that are preconfigured. \n\n\n\n                           Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                                             Page 5 \n\n\x0c    Disaster Information Systems Clearinghouse (DISC) laptop computers. The\n    DISC operates a storage and recycling center that provides centralized control\n    and deployment of all computer and communications equipment necessary to\n    support disaster declarations. FEMA DISC officials said approximately\n    of 32,145 ( %) laptop computers contain the DISC standard images\n    established to support disaster operations. In addition, FEMA headquarters,\n    Region 8, and Mobile Emergency Response Support (MERS) Denver had\n    developed their own standard images for laptop computers that were not\n    distributed by DISC. A FEMA MERS detachment provides mobile\n    telecommunications, operational support, life support, and power generation\n    assets for the on-site management of disaster and all-hazard activities. FEMA\n    officials do not know how many standard images are employed throughout its\n    agency.\n\n    FEMA standard images contain an operating system and general support\n    applications. Depending on the mission requirements, additional applications\n    may be loaded onto laptops. FEMA\xe2\x80\x99s standard images also incorporate anti-\n    virus software, as well as a personal firewall for users that remotely access the\n    FEMA network. Further, FEMA employs a domain group policy that ensures\n    computers, connecting to its network, adhere to an established set of security\n    controls. Local IT administrators cannot remove the security restrictions\n    enforced by the group policy. Local IT administrators can make the group\n    policy more restrictive. Although these measures enhance the security of\n    FEMA\xe2\x80\x99s laptop computers, certain critical controls were not incorporated into\n    laptop configuration settings or the domain group policy. Specifically, FEMA\n    needed to:\n        \xe2\x80\xa2\n\n\n\n\n                         .4\n\n\n\n\n        \xe2\x80\xa2\n\n\n4\n\n\n\n\n    Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                 Page 6 \n\n\x0c        \xe2\x80\xa2\n\n\n\n        \xe2\x80\xa2\n\n\n\n\n        \xe2\x80\xa2\n\n\n\n\n        \xe2\x80\xa2\n\n\n\n\n        \xe2\x80\xa2\n\n                o \n\n\n\n\n\n                o \n\n\n\n\n\n5\n\n\n\n\n    Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                 Page 7 \n\n\x0c            o \n\n\n\n\n\n            o \n\n\n\n\n\n    \xe2\x80\xa2\n            o \n\n\n\n\n\n            o \n\n\n\n\n\nThese weaknesses are the result of FEMA not developing a model system that\nmeets minimum-security requirements for laptop computers, as directed by\nDHS.\n\n\n\nDHS policy requires that components establish, implement, and enforce change\nmanagement and configuration management controls on all IT systems and\nnetworks. The DHS IT Security Architecture Guidance also advises that each\nfully supported operating system have a standard configuration from which\nevery instance is built. According to NIST SP 800-40, standardized\nconfigurations reduce the labor involved in identifying, testing, and applying\npatches; and ensure a higher level of consistency, which leads to improved\n\n\nImproved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                             Page 8 \n\n\x0c                           security. DHS and federal configuration guidelines also establish requirements\n                           related to security parameter settings, including account policy settings, access\n                           permissions, and renaming administrator and guest accounts.\n\n                           DHS and NIST require that sensitive information stored on laptop computers,\n                           which may be used in a residence or on travel, be encrypted using NIST\n                           Federal Information Processing Standards (FIPS) Publication 140-2 approved\n                           encryption.6 DHS and NIST recommend that the boot priority and BIOS\n                           passwords be set on sensitive systems to reduce the possibility of exploitation\n                           by an attacker with physical access to the laptop. DHS 4300A requires that\n                           functions that transmit or receive infrared signals shall be disabled in areas\n                           where sensitive information is discussed. Although personal firewalls are not\n                           required under DHS Policy Publication 4300A, security controls are necessary\n                           for laptops that remotely connect to the network.\n\n                           As a result of FEMA not ensuring that all laptop computers are configured\n                           appropriately,\n\n\n\n\n                                           Because FEMA uses the same process to apply group policy\n                           settings for both its laptop and desktop computers, the configuration\n                           weaknesses are relevant to all FEMA government-issued computers.\n\n                  Recommendations\n                           To secure FEMA data stored on government-issued laptop computers, we\n                           recommend that the Director of FEMA instruct the Chief Information Officer\n                           (CIO) to:\n                           Recommendation #1: Develop and implement a secure standard configuration\n                           for all computers. Further, the CIO should establish procedures to ensure that\n                           the model system is configured to protect FEMA data and verified prior to\n                           implementation.\n\n\n6\n NIST FIPS 140-2 specifies the security requirements for cryptographic modules used within a security system protecting\nsensitive but unclassified information. The standard provides four increasing levels of security that are intended to cover a\nwide range of potential applications and environments. The Cryptographic Module Validation Program substantiates\ncryptographic modules to FIPS 140-2 and other cryptography-based standards. Products validated as conforming to FIPS\n140-2 are accepted by the federal agencies for the protection of sensitive information.\n\n\n                           Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                                            Page 9 \n\n\x0c         Recommendation #2: Remedy the existing critical vulnerabilities identified\n         on laptop computers based on DHS and federal configuration guidelines.\n         Further, the CIO should confirm whether similar vulnerabilities and\n         remediation are applicable to all government-issued computers within FEMA.\n\n    Management Comments And OIG Analysis\n         FEMA concurs with recommendation 1. FEMA has taken steps to develop and\n         implement standard hard drive images. FEMA will develop a schedule to\n         ensure that laptop computers connected to its network comply with DHS\n         security guidelines.\n\n         We accept FEMA\xe2\x80\x99s response to implement and distribute a standard image for\n         all government issued computers.\n\n         FEMA concurs with recommendation 2. FEMA has begun taking steps to\n         implement the recommended security settings. All laptop computers used for\n         remote access will have a firewall enabled. FEMA is removing all Windows\n         2000 machines from its network and inventory.\n\n         We accept FEMA\xe2\x80\x99s response to implement corrective action plans for the\n         existing vulnerabilities in its standard configuration.\n\nImproved Patch and Update Management Will Increase Security\n         FEMA has procedures to patch and update its laptop computers prior to being\n         placed into operation as part of its image install process. However, for laptop\n         computers in use, FEMA has not established effective procedures to patch and\n         update its laptop computers to protect against known operating system\n         vulnerabilities and computer viruses. For those computers already in operation,\n         FEMA distributes patches and updates through its network by patch\n         management software. We conducted vulnerability assessment scans on a\n         sample of 298 laptop computers to determine whether patches and updates had\n         been applied. To determine if Microsoft, anti-virus, and third-party software\n         patches and updates had been applied, we performed an automated scan with\n                                            and conducted manual reviews.\n\n\n\n\n         Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                      Page 10 \n\n\x0cMicrosoft Patches\n\nMicrosoft issues patches to help its customers operate their systems and\nnetworks securely. Applying patches is the primary method of fixing security\nvulnerabilities in vendor software. Our assessment scans identified patches\nrelated to critical, important, and moderate risk vulnerabilities that had not been\napplied. Specifically,                                                           ,\n\n\n     Table 1: Number Of Missing Patches For Each Severity Rating\n        Critical          Important           Moderate               Total\n\n\nThe oldest missing critical patch is       , published in          , to\ncorrect a vulnerability in                     . Further,    of 298 ( %)\nlaptops were missing one or more of Microsoft Window\xe2\x80\x99s critical, important, or\nmoderate patches.\n\nTable 2 illustrates the number of missing critical, important, and moderate risk\npatches on FEMA laptop computers by site.\n\n\n\n\nImproved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                             Page 11 \n\n\x0c                                    Table 2: Missing Patches\n\n                              Number              Number of Laptops With Missing Patches\nSite/Type                    of Laptops\n                               Tested          1-3         4 - 10     11 - 20     21 - 30    31 or More\n                                              Patches     Patches     Patches     Patches     Patches\n\n                                                 Total\n\n Total                            298\n\n                                        Weaknesses by Region\nFEMA Headquarters\nWashington, DC\nJoint Field Office\nAlbany, NY\nJoint Field Office\nBaton Rouge, LA\nMERS detachment\nDenver, CO\n Region 8\n Denver, CO\nSource: OIG table based on the results of technical testing and interviews with FEMA personnel.\n\n            FEMA uses a Windows Server Update Services (WSUS) server in order to\n            centrally control patch management service for Microsoft Windows operating\n            systems and other software. To receive patches, a laptop computer must be\n            connected to the FEMA domain and access the WSUS server to download the\n            updates. Further, once patches are downloaded onto the laptop, the user must\n            manually initiate the install process. FEMA does not have procedures to\n            download and install patches to laptop computers that do not regularly connect\n            to its network.\n\n            Third-Party Software Patches\n\n            Software vendors issue patches as vulnerabilities are discovered in system\n            software to assist their customers in protecting their systems and networks.\n            Security patches must be installed according to FEMA\xe2\x80\x99s configuration\n            management plans or at the direction of the DHS CSIRC. We tested 298 laptop\n            computers to identify third-party software and to determine whether FEMA had\n            applied patches to mitigate known security weaknesses.\n\n\n\n\n           Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                           Page 12 \n\n\x0cThere were patches related to both critical and high-risk vulnerabilities that had\nnot been applied. Specifically, FEMA had not patched:\n    \xe2\x80\xa2\n\n\n\n\n    \xe2\x80\xa2\n\n\n\n\n    \xe2\x80\xa2\n\n\n\n\n    \xe2\x80\xa2\n\n\n\n\nDHS policy requires that IT security patches be installed according to\nconfiguration management plans or direction from DHS CSIRC. According to\nNIST SP 800-40, patching is critical to maintaining the operational availability,\nconfidentiality, and integrity of information technology systems. NIST\nSP 800-40 recommends that organizations have a systematic, accountable, and\ndocumented process for managing exposure to vulnerabilities through the\ntimely deployment of patches.\n\nBecause FEMA had not applied all relevant patches to its laptops,\n\n\n\n\nImproved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                             Page 13 \n\n\x0c    Anti-virus Updates\n\n    FEMA maintains anti-virus update servers that check computers, and\n    downloads and install current anti-virus definitions before access is granted to\n    its domain. When a laptop computer is connected to the FEMA domain, it is\n    automatically directed to FEMA\xe2\x80\x99s anti-virus update server to ensure\n    compliance with current virus definitions. Laptops that are not compliant with\n    the latest anti-virus signatures are denied access to the network. We manually\n    reviewed 65 laptop computers and\n\n\n\n\n    DHS policy requires components to establish and enforce a virus protection\n    control policy. In addition, components shall implement a defense-in-depth\n    strategy that installs anti-virus software on its computers that is properly\n    configured to check all files, downloads, and e-mails. Further, components\n    shall install updates to antivirus software and signature files for each computer\n    in a timely and expeditious manner without requiring the end user to\n    specifically request the update.\n\n    As a result of laptop computers not regularly connecting to FEMA\xe2\x80\x99s domain,\n    laptops are not updated with the latest anti-virus signatures. Further, since\n    employees may connect to the Internet from a residence, hotel, airport, or\n    public wireless network, viruses and other types of malicious code pose a\n    significant threat to FEMA laptop computers, which can affect the availability,\n    integrity, and confidentiality to the laptop and its data.\n\nRecommendations\n    To secure FEMA data stored on government-issued laptop computers, we\n    recommend that the Director of FEMA instruct the Chief Information Officer\n    (CIO) to:\n\n\n    Improved Administration Can Enhance FEMA Laptop Computer Security\n\n                                 Page 14\n\x0c          Recommendation #3: Implement procedures to ensure that all FEMA laptops\n          are patched and updated in a timely manner, including those that do not\n          regularly connect to the FEMA network.\n\n     Management Comments And OIG Analysis\n          FEMA concurs with recommendation 3. FEMA has taken steps to implement\n          an automated patch management solution to ensure required patches are applied\n          to FEMA\xe2\x80\x99s laptop computers. FEMA will require its laptop computers to\n          connect to the FEMA network to ensure patches are downloaded.\n\n          We accept FEMA\xe2\x80\x99s response to implement an automated patch management\n          solution and monitor its patching process to verify that patches are applied.\n\nEnhanced Inventory Management Is Needed For Property Accountability\n          FEMA has not established effective inventory management procedures for its\n          laptop computers. We evaluated FEMA procedures for maintaining an\n          accurate laptop inventory, returning equipment upon employee exit or transfer,\n          handling lost or stolen laptops,                                          , and\n          providing the proper labeling of laptop computers. Also, we reviewed laptop\n          physical security measures, and assessed the FEMA laptop inventory by\n          analyzing the integrity of inventory data on the 298 laptop computers included\n          in our manual reviews.\n\n          FEMA has procedures for entering laptop computers into the Logistics\n          Information Management System (LIMS), its property management system.\n          However, FEMA has not implemented several critical inventory management\n          controls. Specifically, FEMA has not:\n              \xe2\x80\xa2 \t Maintained an accurate inventory;\n              \xe2\x80\xa2 \t Ensured that lost or stolen laptops were reported to the appropriate\n                  officials;\n              \xe2\x80\xa2\n                           ; and\n              \xe2\x80\xa2 \t Appropriately marked its Sensitive But Unclassified (SBU) laptops.\n\n          As a result of these weaknesses in inventory management and property\n          accountability procedures, there is greater risk that FEMA officials will not\n          have a complete and accurate inventory of its laptop computers. In addition,\n\n\n          Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                       Page 15 \n\n\x0c                           sensitive information may not be restricted appropriately and unauthorized\n                           access to personally identifiable information contained in the laptops could\n                           result in an adverse effect, with widespread affect on individual privacy.\n\n                           Laptop Inventory Is Not Accurate\n\n                           Although FEMA has an inventory for its SBU laptop computers, it has not\n                           established effective inventory management procedures to ensure that its\n                           records are accurate. We randomly selected 242 laptop computers to determine\n                           the accuracy of FEMA\xe2\x80\x99s inventory. FEMA\xe2\x80\x99s inventory had a number of\n                           discrepancies. Specifically, 74 (31%) laptops were not updated in the LIMS.\n                           See Appendix A for additional information about our selection methodology.\n                           Upon further analysis, the 74 laptops were:\n                               \xe2\x80\xa2 \t Lost, damaged, or excess, that had not been removed from the\n                                   inventory.\n                               \xe2\x80\xa2 \t Desktop computers that had been recorded as laptops.\n                               \xe2\x80\xa2 \t Inventory entry errors made by the Accountable Property Officers.\n                               \xe2\x80\xa2 \t Laptops that had been transferred to other locations.\n                           In addition, 41 laptop computers located in Denver, Colorado were included on\n                           a local inventory but not recorded in LIMS. Local officials said 20 of these\n                           laptops were not included in LIMS because FEMA had not yet assumed\n                           ownership of the systems. The remaining laptops were not included in the\n                           inventory because the Accountable Property Officers had not updated LIMS\n                           with the current status.\n                           FEMA does not conduct semiannual inventories as required by DHS policy.\n                           Further, FEMA\xe2\x80\x99s Personal Property Management Program Manual 6150.1 is\n                           not aligned with DHS policy that requires semiannually inventories. Also,\n                           when inventories are conducted, local Accountable Property Officers do not\n                           include an examination of installed software. Accountable Property Officers\n                           we interviewed were not aware of these requirements.\n                           DHS policy requires that components develop and maintain a property\n                           inventory of all portable electronic devices, such as laptops. This inventory is\n                           to include serial numbers or seat numbers, user names, use, and location of all\n                           portable electronic devices for accountability purposes.7 In addition, DHS\n                           policy requires that components conduct reviews, at least semiannually, of all\n\n7\n A seat, also referred to as a \xe2\x80\x9cnode,\xe2\x80\x9d is an intelligent element like a processor that can communicate using interprocessor\ncommunications. A seat is where entities and ports reside.\n\n\n                           Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                                            Page 16 \n\n\x0cequipment and software to ensure that only government-licensed software and\nequipment are being used, and that appropriate exceptions have been\ndocumented. As a result of an incomplete and inaccurate inventory, there is a\ngreater risk that FEMA officials will not be able to account for their laptop\ncomputers or be prepared to manage effectively federal response and recovery\nefforts following a major incident.\n\nLost or Stolen Laptops Are Not Reported Appropriately\n\nFEMA has not ensured that lost or stolen laptops are reported to the DHS\nCSIRC. As illustrated in Table 3, we identified 26 of 242 (11%) laptop\ncomputers judgmentally selected from the LIMS inventory that FEMA officials\ncould not locate. FEMA was unaware that these laptops were missing.\n\n\n                Table 3: Unaccountable Laptop Computers\n                       Number of Laptops Randomly        Number of Laptops FEMA\nSite\n                          Selected for Testing            Could Not Account For\nFEMA Headquarters\n                                    60\nWashington, DC\nJoint Field Office\n                                    60\nAlbany, NY\nJoint Field Office\n                                    60\nBaton Rouge, LA\nMERS Detachment\n                                    28\nDenver, CO\nRegion 8\n                                    34\nDenver, CO\nTotal                              242\n\n\n\nFurther, FEMA\xe2\x80\x99s Security Branch issued a memorandum in September 2006\nreporting that 58 laptop computers were lost, missing, or stolen since\nJanuary 2005. The laptop security incidents were investigated and reported to\nFEMA Headquarters, but were not reported to DHS CSIRC. According to\nFEMA officials, the 58 missing computers were not reported because the DHS\nCSIRC is a relatively new entity. FEMA officials said that since our review,\nthey have begun reporting security incidents to DHS CSIRC.\n\nDHS policy requires that components report significant computer security\nincidents to the DHS CSIRC immediately upon identification and validation of\nincident occurrence. The DHS CSIRC is normally responsible for notifying\n\n\n\nImproved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                             Page 17 \n\n\x0c    appropriate law enforcement authorities of a security event, who pursue the\n    investigation and recommend disciplinary action, if required. Because FEMA\n    had not reported these security incidents to the DHS CSIRC, senior DHS\n    officials may not be aware of the extent or scope of laptop security issues at the\n    department, and the appropriate corrective actions may not have been taken.\n    Further, without an accurate inventory, FEMA may not be aware of additional\n    missing laptop computers.\n\n    Laptops Are\n\n    FEMA has implemented procedures for\n\n                                  .8 Specifically:\n        \xe2\x80\xa2\n\n        \xe2\x80\xa2\n\n\n    In July 2006, FEMA issued a standard operating procedure and technical\n    guidance to ensure compliance with federal laws and regulations. However,\n    FEMA IT staff we interviewed do not adhere to DHS policy or FEMA\n    guidelines.\n\n\n\n    DHS policy requires that components ensure that\n\n                                                                         DHS policy also\n    requires that components ensure that\n                                                                                           ,\n                                                  As a result of these weaknesses in\n\n8\n\n\n\n\n    Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                 Page 18 \n\n\x0c    FEMA\xe2\x80\x99s                    , there is greater risk that access to sensitive\n    information may not be limited properly.\n\n    Laptops Are Not Marked Appropriately\n\n    FEMA has not ensured that its laptops are appropriately labeled. Specifically,\n    none of the SBU laptops tested were: (1) marked with the highest classification\n    level of the information that has been processed or stored on the device, or (2)\n    labeled indicating that the units were not authorized for classified processing.\n\n    FEMA\xe2\x80\x99s Personal Property Management Program Manual 6150.1 does not\n    address marking computers with the highest classification level or affixing\n    labels on units authorized for classified processing. Local IT staff and\n    Accountable Property Officers we interviewed were unaware of this\n    requirement. Headquarters officials said that FEMA had not had the\n    opportunity to label its laptop computers and is currently considering what\n    other DHS components are using to mark and label their systems.\n\n    DHS policy requires that all equipment be marked with the highest\n    classification level of the information that has been processed or stored on the\n    device. Because these laptops were not appropriately marked, there is greater\n    risk that classified information may have been processed on an unclassified\n    system. DHS policy also recommends that a label be affixed to PCs, terminals,\n    and laptops not authorized to process classified information, especially in\n    environments where both sensitive information and classified information are\n    processed.\n\nRecommendations\n    To secure FEMA data stored on government-issued laptop computers, we\n    recommend that the Director of FEMA instruct the Chief Information Officer\n    (CIO) to:\n\n    Recommendation #4: Implement appropriate inventory management controls\n    to ensure that an accurate laptop inventory is maintained, including effective\n    inventory reviews.\n\n    Recommendation #5: Report computer security incidents to DHS CSIRC in a\n    timely manner to ensure that they are investigated and that appropriate\n    corrective action is taken.\n\n\n\n    Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                 Page 19 \n\n\x0c          Recommendation #6:\n\n\n\n     Management Comments And OIG Analysis\n          FEMA concurs with recommendation 4. FEMA is revising its procedures for\n          accountability and control of its computing resources. An inventory and\n          reconciliation of IT property will be completed by September 30, 2007.\n\n          We accept FEMA\xe2\x80\x99s response to complete a comprehensive IT inventory. To\n          ensure that an accurate laptop inventory is sustained, we maintain that FEMA\n          should conduct annual inventory reviews.\n\n          FEMA concurs with recommendation 5. FEMA Instruction 1540.1 has been\n          updated to include requirements for the Chief Security Officer and the Chief of\n          Information Technology Security to be notified of computer security incidents.\n          Computer security incidents will be reported to DHS CSIRC.\n\n          We accept FEMA\xe2\x80\x99s response to report all computer security incidents to DHS\n          CSIRC to ensure that the incidents are investigated and appropriate corrective\n          action is taken.\n\n          FEMA concurs with recommendation 6.\n\n                                                                 . FEMA will implement\n          policy changes that will ensure that all classified and unclassified laptop\n          computers are appropriately marked.\n\n          We accept FEMA\xe2\x80\x99s response to\n\n\n\n\nFEMA Needs To Certify And Accredit Laptop Computers To Comply\nWith FISMA\n          The Federal Information Security Management Act of 2002 (FISMA), Title III\n          of the E-Government Act (Public Law 107-347, December 17, 2002), provides\n\n\n          Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                       Page 20 \n\n\x0c    a comprehensive framework to ensure the effectiveness of security controls\n    over information resources that support federal operations and assets. The\n    agency\xe2\x80\x99s security program shall provide security for the information as well as\n    the systems that support the operations and assets of the agency, including\n    those provided or managed by another agency, contractor, or other source.\n\n    We were unable to evaluate the effectiveness of FEMA\xe2\x80\x99s information security\n    program and practices as implemented for SBU laptop computers. FEMA has\n    32,145 laptop computers processing sensitive information that may contain\n    personally identifiable information. FEMA officials do not consider laptops a\n    major application or general support system and, therefore, had not certified\n    and accredited its laptop computers. Since our review, FEMA plans to review\n    certification and accreditation requirements for portable computers, evaluate\n    options, and determine the most efficient and cost-effective approach to certify\n    and accredit FEMA laptop computers.\n\n    FISMA requires each agency to develop, document, and implement an\n    agency-wide information security program to provide security for its\n    information and systems. Policies should ensure that information security is\n    addressed throughout the life cycle of each agency information system and\n    determine minimally acceptable system configuration requirements. In\n    addition, DHS policy requires that every DHS computing resource (e.g.,\n    desktops, laptops, servers, portable electronic devices) shall be individually\n    accounted for as part of a recognized IT system. Further, every computing\n    resource shall be designated as a part of an IT system.\n\n    Because FEMA has not certified and accredited its laptop computers, this\n    presents a significant deficiency for the DHS information system security\n    program. We believe that information systems operating without certification\n    and accreditation could increase the risk and potential magnitude of harm.\n    Therefore, FEMA should consider identifying this deficiency as a material\n    weakness pursuant to Office of Management and Budget Circular No. A-123,\n    \xe2\x80\x9cManagement Accountability and Control,\xe2\x80\x9d and the Federal Manager\xe2\x80\x99s\n    Financial Integrity Act.\n\nRecommendations\n    To secure FEMA data stored on government-issued laptop computers, we\n    recommend that the Director of FEMA instruct the Chief Information Officer\n    (CIO) to:\n\n\n\n    Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                 Page 21 \n\n\x0c    Recommendation #7: Adhere to DHS policy that requires every computing\n    resource to be individually accounted for as part of a recognized IT system.\n    Further, the CIO should ensure laptop computers are compliant with FISMA.\nManagement Comments And OIG Analysis\n    FEMA concurs with recommendation 7. FEMA is revising its procedures\n    regarding accountability and control of its computing resources. FEMA\xe2\x80\x99s\n    process to certify and accredit its laptops and ensure its computers are FISMA\n    compliant is almost complete.\n\n    We accept FEMA\xe2\x80\x99s response to ensure its laptop computers comply with\n    FISMA security requirements.\n\n\n\n\n    Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                 Page 22 \n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                   The objective of this audit was to determine whether FEMA had implemented\n                   adequate and effective security policies and procedures related to the physical\n                   security of and logical access to its government-issued laptop computers.\n                   Specifically, we determined whether FEMA had implemented adequate\n                   (1) policies and procedures for inventory management; (2) physical security\n                   measures; (3) logical access controls; and, (4) wireless security measures for\n                   sensitive data contained in its government-issued laptops. Our focus was to test\n                   the development and implementation of a model system for laptop computers\n                   processing and storing sensitive or classified DHS data, as well as the\n                   procedures used to patch and update laptops once placed into operation. In\n                   addition, we attempted to obtain FISMA information required for our annual\n                   independent evaluation. However, FEMA had not assigned its laptop\n                   computers to a recognized IT System.\n\n                   FEMA\xe2\x80\x99s laptop computers are accounted for in LIMS, an automated property\n                   management system. On September 7, 2006, LIMS contained 32,145 laptop\n                   computers. We selected 242 laptop computers to conduct automated and\n                   manual testing. We had to exclude 115 laptop computers from our original\n                   sample size because laptops were either missing, excessed, not available, or\n                   had hardware/software conflicts. We judgmentally selected an additional\n                   171 laptops on site to give us a sample size of 298 laptop computers.\n\n\n\n\n                   Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                                Page 23 \n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                       To identify laptop computers, we analyzed the FEMA laptop computer\n                       inventory and selected the following FEMA sites for testing.\n\n                                 FEMA Testing Locations and Laptop Computers\n                                                             298 SBU Laptops\n             Region\n                                 User-Assigned       Shared         Loaner      Unassigned      Total\n             Washington,\n                                   15 Laptops       31 Laptops     2 Laptops     12 Laptops   60 Laptops\n             DC\n             Albany,\n                                   59 Laptops            -             -             -        59 Laptops\n             NY\n             Baton Rouge,\n                                   85 Laptops            -             -         7 Laptops    92 Laptops\n             LA\n             Denver,\n                                   73 Laptops       13 Laptops         -         1 Laptops    87 Laptops\n             CO\n             Total                232 Laptops       44 Laptops     2 Laptops     20 Laptops   298 Laptops\n\n\n                       We performed automated vulnerability assessment scans and port scanning of\n                       298 laptops to determine configuration weaknesses and missing patches. In\n                       addition, we conducted detailed testing for a subset of 65 laptop computers.\n                       These test included:\n                           \xe2\x80\xa2 \t Detailed technical testing to confirm the automated testing results and\n                               determine account, audit, access privilege, and password parameter\n                               settings.\n                           \xe2\x80\xa2 \t Password strength analysis to ensure that strong passwords were used.\n                           \xe2\x80\xa2 \t Manual reviews to verify the presence and configuration of installed\n                               software.\n\n                       We created a closed testing network to assess FEMA\xe2\x80\x99s laptop computers with\n                       an OIG scanning laptop. This closed network did not connect to the FEMA\n                       domain or the Internet. The following diagram illustrates the configuration of\n                       the OIG testing network.\n\n\n\n\n                       Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                                    Page 24 \n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                               Scanning                                   Linksys\n                                Laptop                                    Router\n\n\n                                                Linksys                                    Linksys\n                                                Switch                                     Switch\n\n\n\n\n                                              Target                                      Target\n                                             Laptops                                     Laptops\n                                                         Architecture of Testing Network\n\n                            Upon completion of the tests, we provided component officials with technical\n                            reports detailing the specific vulnerabilities detected on their system and the\n                            actions needed for remediation.\n\n                            We used eight testing tools to conduct internal security tests to evaluate the\n                            effectiveness of controls implemented for the systems:\n                                 \xe2\x80\xa2\n\n\n\n\n                                 \xe2\x80\xa2\n\n\n\n                                 \xe2\x80\xa2\n\n\n\n\n9\n    NIST SP 800-42, Guideline on Network Security Testing, identifies Internet Scanner as a common testing tool.\n\n\n                            Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                                            Page 25 \n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                       \xe2\x80\xa2\n\n\n\n                       \xe2\x80\xa2\n\n                       \xe2\x80\xa2\n\n                       \xe2\x80\xa2\n\n\n                       \xe2\x80\xa2\n\n\n\n\n                   We conducted fieldwork at FEMA facilities in Washington, DC; Bluemont,\n                   Virginia; Albany, New York; Baton Rogue, Louisiana; Denver, Colorado; and,\n                   the OIG Advanced Technology Laboratory (ATL). The ATL supports our\n                   capability to perform effective and efficient technical assessments of DHS\n                   information systems in diverse operating environments. The ATL is a\n                   collection of hardware and software that allows the simulation, testing, and\n                   evaluation of the computing environments that are most commonly used within\n                   DHS. We conducted our audit from September to November 2006 under the\n                   authority of the Inspector General Act of 1978, as amended, and according to\n                   generally accepted government auditing standards. Major OIG contributors to\n                   the audit are identified in Appendix C.\n\n                   Our principal points of contact for the audit are Frank Deffer, Assistant\n                   Inspector General for Information Technology Audits, at (202) 254-4100, and\n                   Edward G. Coleman, Director, Information Security Audit Division, at\n                   (202) 254-5444.\n\n\n\n\n                   Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                                Page 26 \n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n\n\n                   Source: OIG auditors conducting security scans on laptop computers\n                   in Denver, Colorado.\n\n\n\n\n                    Source: OIG auditors conducting security scans on laptop computers\n                   in Denver, Colorado.\n\n\n\n\n                   Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                                Page 27 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                 Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                              Page 28 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                 Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                              Page 29 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                 Improved Administration Can Enhance FEMA Laptop Computer Security\n\n\n                                              Page 30 \n\n\x0cAppendix C\nMajor Contributors to this Report\n\n\n\n                    Information Security Audits Division\n                    Edward G. Coleman, Director\n                    Patrick Nadon, Audit Manager\n                    Eugene Yu, Audit Team Leader\n                    Swati Mahajan, Referencer\n\n                    Advanced Technology Division\n                    Marcus Badley, Senior Security Engineer\n                    David Hawkins, Senior Security Engineer\n                    Jordan Fox, Security Engineer, Space and Naval Warfare Systems Command\n\n\n\n\n                  Improved Administration Can Enhance FEMA Laptop Computer Security\n                                                  Page 31\n\x0cAppendix D\nReport Distribution\n\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff\n                      Deputy Chief of Staff\n                      General Counsel\n                      Executive Secretary\n                      Director, GAO/OIG Liaison Office\n                      Assistant Secretary for Policy\n                      Assistant Secretary for Public Affairs\n                      Assistant Secretary for Legislative and Intergovernmental Affairs\n                      Chief Information Officer\n                      Deputy Chief Information Officer\n                      Chief Information Security Officer\n                      Director, Compliance and Oversight Program\n                      Chief Information Officer Audit Liaison\n                      Chief Information Officer, FEMA\n                      Audit Liaison, FEMA\n                      Director, Information Security Audit Division\n                      Chief Privacy Officer\n\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n                  Improved Administration Can Enhance FEMA Laptop Computer Security\n                                                  Page 32\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\nsite at www.dhs.gov/oig.\n\n\nOIG Hotline\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at:\n           DHS Office of Inspector General/MAIL STOP 2600, Attention:\n           Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n           Washington, DC 20528.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'